search

lewdlime / abcm2ps

abcm2ps is a command line program which converts ABC to music sheet in PostScript or SVG format. It is an extension of abc2ps which may handle many voices per staff. abcm2ps is Copyright © 2014-2016 Jean-Francois Moine.
http://moinejf.free.fr/
GNU General Public License v3.0
80 stars 31 forks source link

null pointer deference in go_global_time() in parse.c #99

Closed chibataiki closed 3 years ago

chibataiki commented 3 years ago

Hi , Null pointer deference was found in go_global_time () in parse.c.

version : 9fa642d

env: ubuntu 20.04 x86_64 gcc version 9.3.0

reproduce: ./configure make ./abcm2ps poc

null_pointerparse.c_go_global_time_720.zip

Here need more check on pointer s2. debug info

── source:parse.c+720 ────
    715         for (s2 = s; s2; s2 = s2->ts_next) {
    716             if (s2->type == BAR
    717              && s2->time != 0)
    718                 break;
    719         }
           // s2=0x00007fffffffe078  →  0x0000000000000000
 →  720         if (s2->time < voice_tb[cursys->top_voice].meter.wmeasure)
    721             s = s2;
    722         goto chk_time;
    723     }
    724     for ( ; s; s = s->ts_next) {
    725         if (s->type == BAR
── threads ────
[#0] Id 1, Name: "abcm2ps", stopped 0x55555555bd4a in go_global_time (), reason: SIGSEGV
─── trace ────
[#0] 0x55555555bd4a → go_global_time(s=0x5555555fa130, symsel=0x5555556040e8)
[#1] 0x55555558a13a → set_bar_num()
[#2] 0x55555558a13a → generate()
[#3] 0x55555558a5f8 → gen_ly(eob=0x0)
[#4] 0x555555590918 → do_tune()
[#5] 0x55555555eb7d → abc_eof()
[#6] 0x55555557ae6c → frontend(s=<optimized out>, ftype=<optimized out>, fname=<optimized out>, linenum=0x4)
[#7] 0x55555555d33b → treat_file(fn=0x7fffffffe6a0

gef➤  p s2
$1 = (struct SYMBOL *) 0x0
chibataiki commented 3 years ago

Tried and fix ,thanks for the work.